From 8b59e0c8bc09d4e7878d523a1f0cc1c777b1ad33 Mon Sep 17 00:00:00 2001 From: Andy Ning Date: Fri, 25 Mar 2022 17:15:06 -0400 Subject: [PATCH] Add ppolicy-check-password library for ldap on Debian This change added ppolicy-check-password package from https://github.com/cedric-dufour/ppolicy-check-password This package contains check_password.so that is used by ldap to enforce password complexity for ldap users. Test Plan for Debian: PASS: package build, image build PASS: system bootstrap, controller unlock PASS: after controller unlock, login by "admin" user on console, and su to "admin" on ssh session. PASS: failure path with incompliant passwords for ldap user password change (eg, change password when first login) Story: 2009101 Task: 44864 Signed-off-by: Andy Ning Change-Id: If5a1e5c6784c7354c0a4903e1d1c4abb21d8a01f --- ...lding-ppolicy-check-password-library.patch | 119 ++++++++++++++++++ ldap/openldap/debian/deb_patches/series | 1 + .../openldap/debian/files/check_password.conf | 31 +++++ ldap/openldap/debian/meta_data.yaml | 6 + 4 files changed, 157 insertions(+) create mode 100644 ldap/openldap/debian/deb_patches/0002-Support-building-ppolicy-check-password-library.patch create mode 100644 ldap/openldap/debian/files/check_password.conf diff --git a/ldap/openldap/debian/deb_patches/0002-Support-building-ppolicy-check-password-library.patch b/ldap/openldap/debian/deb_patches/0002-Support-building-ppolicy-check-password-library.patch new file mode 100644 index 000000000..0b9f57587 --- /dev/null +++ b/ldap/openldap/debian/deb_patches/0002-Support-building-ppolicy-check-password-library.patch @@ -0,0 +1,119 @@ +From d1891425d25aaa0a6aeb31e74be95dc8d2c3f90a Mon Sep 17 00:00:00 2001 +From: Andy Ning +Date: Thu, 17 Mar 2022 15:22:48 -0400 +Subject: [PATCH] Support building ppolicy-check-password library + +The patch added support to build ppolicy-check-password library +from: +https://github.com/cedric-dufour/ppolicy-check-password/tree/debian-stretch +commit: 02b9deeece428cbdae7970dfc5258a34e143cc28 + +Signed-off-by: Andy Ning +Signed-off-by: Yue Tao +--- + debian/control | 16 +++++++++++++++- + debian/rules | 11 +++++++++-- + debian/slapd-ppolicy-check-password.dirs | 2 ++ + debian/slapd-ppolicy-check-password.install | 2 ++ + 4 files changed, 28 insertions(+), 3 deletions(-) + create mode 100644 debian/slapd-ppolicy-check-password.dirs + create mode 100644 debian/slapd-ppolicy-check-password.install + +diff --git a/debian/control b/debian/control +index 7cad4d4..580f1a9 100644 +--- a/debian/control ++++ b/debian/control +@@ -10,6 +10,7 @@ Build-Depends: debhelper (>= 10), + groff-base, + heimdal-multidev (>= 7.4.0.dfsg.1-1~) , + libargon2-dev , ++ libcrack2-dev , + libdb5.3-dev , + libgnutls28-dev, + libltdl-dev , +@@ -19,7 +20,8 @@ Build-Depends: debhelper (>= 10), + nettle-dev , + perl:any, + po-debconf, +- unixodbc-dev ++ unixodbc-dev , ++ unzip + Build-Conflicts: libbind-dev, bind-dev, autoconf2.13 + Standards-Version: 4.5.0 + Homepage: https://www.openldap.org/ +@@ -67,6 +69,18 @@ Description: transitional package for slapd-contrib + This is a transitional package from slapd-smbk5pwd to slapd-contrib. It can be + safely removed. + ++Package: slapd-ppolicy-check-password ++Section: net ++Priority: extra ++Architecture: any ++Build-Profiles: ++Depends: slapd, ${shlibs:Depends}, ${misc:Depends} ++Suggests: cracklib-runtime ++Description: PPolicy password (strength) checker module ++ Extends the PPolicy module with password strength checks. Enable with: ++ pwdCheckModule: check_password.so ++ pwdCheckQuality: 2 ++ + Package: ldap-utils + Architecture: any + Depends: ${shlibs:Depends}, libldap-2.4-2 (= ${binary:Version}), ${misc:Depends} +diff --git a/debian/rules b/debian/rules +index 5b8b75f..ef38c2f 100755 +--- a/debian/rules ++++ b/debian/rules +@@ -119,9 +119,14 @@ override_dh_auto_configure: + dh_auto_configure -- $(CONFIG) + + override_dh_auto_build: ++ unzip ppolicy-check-password-debian-stretch.zip ++ sed -i 's#check_password: clean check_password.o#check_password: check_password.o#g' ppolicy-check-password-debian-stretch/Makefile ++ mv ppolicy-check-password-debian-stretch contrib/slapd-modules/ppolicy-check-password ++ cp -f check_password.conf contrib/slapd-modules/ppolicy-check-password ++ + dh_auto_build -- $(MAKEVARS) + ifeq ($(filter pkg.openldap.noslapd,$(DEB_BUILD_PROFILES)),) +- for mod in $(CONTRIB_MODULES); do \ ++ for mod in $(CONTRIB_MODULES) ppolicy-check-password; do \ + dh_auto_build -Dcontrib/slapd-modules/$$mod -Bcontrib/slapd-modules/$$mod -- $(CONTRIB_MAKEVARS) || exit $$?; \ + done + endif +@@ -136,7 +141,7 @@ endif + override_dh_auto_install: + dh_auto_install -- $(MAKEVARS) + ifeq ($(filter pkg.openldap.noslapd,$(DEB_BUILD_PROFILES)),) +- for mod in $(CONTRIB_MODULES); do \ ++ for mod in $(CONTRIB_MODULES) ppolicy-check-password; do \ + dh_auto_install -Dcontrib/slapd-modules/$$mod -Bcontrib/slapd-modules/$$mod -- $(CONTRIB_MAKEVARS) || exit $$?; \ + done + +@@ -165,6 +170,8 @@ endif + find $(installdir)/usr/share/man -name \*.8 \ + | xargs perl -pi -e 's#(\.TH \w+ 8)C#$$1#' + ++ cp -f check_password.conf $(installdir)/etc/ldap ++ + override_dh_installinit: + dh_installinit -- "defaults 19 80" + +diff --git a/debian/slapd-ppolicy-check-password.dirs b/debian/slapd-ppolicy-check-password.dirs +new file mode 100644 +index 0000000..3d793ea +--- /dev/null ++++ b/debian/slapd-ppolicy-check-password.dirs +@@ -0,0 +1,2 @@ ++etc/ldap ++usr/lib/ldap +diff --git a/debian/slapd-ppolicy-check-password.install b/debian/slapd-ppolicy-check-password.install +new file mode 100644 +index 0000000..3e6278a +--- /dev/null ++++ b/debian/slapd-ppolicy-check-password.install +@@ -0,0 +1,2 @@ ++contrib/slapd-modules/ppolicy-check-password/check_password.conf etc/ldap ++usr/lib/ldap/check_password.so* +-- +2.25.1 + diff --git a/ldap/openldap/debian/deb_patches/series b/ldap/openldap/debian/deb_patches/series index 5f6f82599..c48760188 100644 --- a/ldap/openldap/debian/deb_patches/series +++ b/ldap/openldap/debian/deb_patches/series @@ -1,2 +1,3 @@ debian-disable-unit-tests.patch 0001-Change-pid-file-and-args-file-location.patch +0002-Support-building-ppolicy-check-password-library.patch diff --git a/ldap/openldap/debian/files/check_password.conf b/ldap/openldap/debian/files/check_password.conf new file mode 100644 index 000000000..c8ddd5dc9 --- /dev/null +++ b/ldap/openldap/debian/files/check_password.conf @@ -0,0 +1,31 @@ +## PPolicy password check module congifuration + +# Minimum number of quality points a new password must have to be accepted. +# One quality point is awarded for each character class used in the password. +#min_points 3 +min_points 4 + +# Maximum number of characters that can appear consecutively from a given +# character class (0 = disable). +#max_consecutive_per_class 0 + +# Minimum lower characters expected. +#min_lower 0 +min_lower 1 + +# Minimum upper characters expected. +#min_upper 0 +min_upper 1 + +# Minimum digit characters expected. +#min_digit 0 +min_digit 1 + +# Minimum punctuation characters expected. +#min_punct 0 +min_punct 1 + +# Set it to 1 to enable cracklib verification. +#use_cracklib 0 +use_cracklib 1 + diff --git a/ldap/openldap/debian/meta_data.yaml b/ldap/openldap/debian/meta_data.yaml index 421b664d4..982271aa4 100644 --- a/ldap/openldap/debian/meta_data.yaml +++ b/ldap/openldap/debian/meta_data.yaml @@ -5,6 +5,12 @@ dl_path: url: https://salsa.debian.org/openldap-team/openldap/-/archive/2.4.57+dfsg-3/openldap-2.4.57+dfsg-3.tar.gz md5sum: 85c7de35e79b8fe45b5d6aabba2b9a3d sha256sum: be60a9e51d8be36e1ccfb64db55d9d2ebe280137368fc5abdcdfd86042e053c2 +dl_files: + ppolicy-check-password-debian-stretch.zip: + topdir: null + url: https://github.com/cedric-dufour/ppolicy-check-password/archive/refs/heads/debian-stretch.zip + md5sum: 3d9c40e10568255d1db1271cc5f5e203 + sha256sum: 5a6e0222e948cb3cbafef769ecbbea718d2f724f9c34b8dfb0a2266735a451c9 revision: dist: $STX_DIST PKG_GITREVCOUNT: